code-server 4.0.0 behind nginx reports wrong port #4607
Comments
|
Same problem with my setup. I'm running code-server via JupyterHub as part of a JupyterLab image with Traefik as a reverse proxy. @code-asher @jsjoeio @bpmct You may check at https://vscode-r.jupyter.b-data.ch. |
|
Propably completely independent from the proxy. Can reproduce it with Caddy and Apache ;). |
|
@fritterhoff do you mind posting repro steps for Caddy? I have experience with that so it'd be easier for me to investigate |
jsjoeio
added
the
needs-investigation
|
Well pretty simple and without any magic:
|
code-asher
added
bug
|
@code-asher you mention in your last commit "does not work behind reverse proxies unless they send the right headers containing information about the proxied source" which headers would be required? |
Trying to determine the remote authority on the backend is brittle because it does not work behind reverse proxies unless they send the right headers containing information about the proxied source. We could require users add the relevant configuration or provide the remote authority via a flag but neither are user-friendly options. We can make it work out of the box by changing the frontend to make requests to its current address (which is what we try to set the remote authority to anyway). This actually already happens for the most part except in some UI and logs although recent issues suggest there might be other problems which should be entirely resolved by setting this on the frontend. In other words, the remote authority we set on the backend should never be used so we set it to something invalid to ensure we notice (the alternative is to rip it out but that is probably a bigger patch thus generating more conflicts). One scenario where we might want to set the remote authority from the backend is if the frontend is served from a different location than the backend but that is not supported behavior at the moment. Even if we did support this we still cannot determine the authority from the backend (even for non-proxy scenarios in this case) and would need to add a flag for it so this change would still be necessary. coder/code-server#4604 coder/code-server#4607 coder/code-server#4608
|
|
|
There might still be weirdness caused by the code explicitly adding an |
|
Mhm okay than the current implementation may also have a bug as caddy sets some headers by default: So my upper example for caddy should work as expected and provide me an |
|
@code-asher Træfik sets |
|
Huh, interesting. There must be something else wrong with the code. I am curious as to the problem but I ended up just removing the logic entirely in favor of just setting it to |
|
I poked into it anyway but it seems like the forwarded headers should work: And yet it is actually setting the remote authority to "vscode-r.jupyter.b-data.ch:80". I guess it is academic at this point but quite confusing. 😕 |
|
Ah...the headers appear to be lowercased so they do not match. Not sure if they always come that way or if Express lowercases them. 🤦 So I guess |
|
still same problem |
|
As a temporary solution just in case this helps anyone, I've just made sure that |
Fixes coder#3410 Fixes coder#4604 Fixes coder#4607 Fixes coder#4608 Fixes coder#4609 Also has the foundation for coder#4619.
|
I fixed this issue in Apache by adding a Forwarded header to my apache config as follows: |
Trying to determine the remote authority on the backend is brittle because it does not work behind reverse proxies unless they send the right headers containing information about the proxied source. We could require users add the relevant configuration or provide the remote authority via a flag but neither are user-friendly options. We can make it work out of the box by changing the frontend to make requests to its current address (which is what we try to set the remote authority to anyway). This actually already happens for the most part except in some UI and logs although recent issues suggest there might be other problems which should be entirely resolved by setting this on the frontend. In other words, the remote authority we set on the backend should never be used so we set it to something invalid to ensure we notice (the alternative is to rip it out but that is probably a bigger patch thus generating more conflicts). One scenario where we might want to set the remote authority from the backend is if the frontend is served from a different location than the backend but that is not supported behavior at the moment. Even if we did support this we still cannot determine the authority from the backend (even for non-proxy scenarios in this case) and would need to add a flag for it so this change would still be necessary. coder/code-server#4604 coder/code-server#4607 coder/code-server#4608
Trying to determine the remote authority on the backend is brittle because it does not work behind reverse proxies unless they send the right headers containing information about the proxied source. We could require users add the relevant configuration or provide the remote authority via a flag but neither are user-friendly options. We can make it work out of the box by changing the frontend to make requests to its current address (which is what we try to set the remote authority to anyway). This actually already happens for the most part except in some UI and logs although recent issues suggest there might be other problems which should be entirely resolved by setting this on the frontend. In other words, the remote authority we set on the backend should never be used so we set it to something invalid to ensure we notice (the alternative is to rip it out but that is probably a bigger patch thus generating more conflicts). One scenario where we might want to set the remote authority from the backend is if the frontend is served from a different location than the backend but that is not supported behavior at the moment. Even if we did support this we still cannot determine the authority from the backend (even for non-proxy scenarios in this case) and would need to add a flag for it so this change would still be necessary. coder/code-server#4604 coder/code-server#4607 coder/code-server#4608
Trying to determine the remote authority on the backend is brittle because it does not work behind reverse proxies unless they send the right headers containing information about the proxied source. We could require users add the relevant configuration or provide the remote authority via a flag but neither are user-friendly options. We can make it work out of the box by changing the frontend to make requests to its current address (which is what we try to set the remote authority to anyway). This actually already happens for the most part except in some UI and logs although recent issues suggest there might be other problems which should be entirely resolved by setting this on the frontend. In other words, the remote authority we set on the backend should never be used so we set it to something invalid to ensure we notice (the alternative is to rip it out but that is probably a bigger patch thus generating more conflicts). One scenario where we might want to set the remote authority from the backend is if the frontend is served from a different location than the backend but that is not supported behavior at the moment. Even if we did support this we still cannot determine the authority from the backend (even for non-proxy scenarios in this case) and would need to add a flag for it so this change would still be necessary. coder/code-server#4604 coder/code-server#4607 coder/code-server#4608
Using the following nginx configuration (fragment) in combination the SSL and code server reports port 80 in code-server instead of 443/https?
The text was updated successfully, but these errors were encountered: